Figure 5 - uploaded by Raúl Mazo
Content may be subject to copyright.
A standard modification abuse frame taken from [67] 

A standard modification abuse frame taken from [67] 

Source publication
Article
Full-text available
Security is a concern that must be taken into consideration starting from the early stages of system development. Over the last two decades, researchers and engineers have developed a considerable number of methods for security requirements engineering. Some of them rely on the (re)use of security knowledge. Despite some existing surveys about secu...

Context in source publication

Context 1
... Figure 5 shows a standard modification frame. Modification arises whenever an attacker wishes to change an information asset in the physical world. ...

Similar publications

Article
Full-text available
The Semantic Web is a mesh of information linked up such that it can be easily processed by machines. The focus of semantic web is to share data instead of documents and the ontologies act as the mainstay of the semantic web. Ontologies are used to represent domain knowledge in semantic web. As ontologies have many applications in various prominent...

Citations

... The concept of requirements repository has been proposed for requirements reusability in various processes and models [28,53]. However, both methods use repositories or catalogue in textual or semi-formal forms [50]. Also, [34] finds out that most of the requirements reuse techniques are textual copy based and that there is a direct relationship between the requirements reuse and the adopted technology. ...
Article
Full-text available
We must explicitly capture relationships and hierarchies between the multitude of system and security standards requirements. Current security requirements specification methods do not capture such structure effectively, making requirements management and traceability harder, consequently increasing costs and time to market for developing certified ICS. We propose a novel requirements repository model for ICS that uses labelled property graphs to structure and store system-specific and standards-based requirements using well-defined relationship types. Furthermore, we integrate the proposed requirements repository with design-time ICS tools to establish requirements traceability. A wind turbine case study illustrates the overall workflow in our framework. We demonstrate that a robust requirements traceability matrix is a natural consequence of using labelled property graphs. We also introduce a compatible requirements change management procedure that aids in adapting to changes in development and certification schemes.
... Area Reference Machine learning [347, 246, 208, 212, 48, 324, 67, 186, 296, 21, 130, 145, 207, 229, 245, ?, ?, 289, 303, 304, 356, 16, 42, 44, 54, 56, 60, 82, 83, 95, 110, 131, 132, 147, 148, 177, 219, 223, 228, ?, 312, 322, 344, 2, 7, 15, 20, 31, 34, 41, 47, 50, 53, 57, 70, 85, 100, 119, 123, 125, 126, 140, 159, 161, 164, 168, 183, 179, 197, 198, 210, 217, 218, 234, 251, 263, 271, 274, 288, 293, 302, 313, 319, 327, 336, 359, 362, 366, 46, 58, 61, 72, 80, 91, 108, 124, 135, 138, 163, 171, 173, 195, 206, 233, 247, 256, 261, 268, 269, 314, 320, 321, 325, 330, 334, 335, 340, 345, 358, 103, 155, 170, 211, 249, 250, 252, 275, 281, 284, 298, 353, 361, 363, 253] Deep learning [208,77,267,270,350,9,29,56,95,154,165,202,205,243,279,317,11,25,98,101,109,114,115,164,174,187,204,199,213,214,230,336,339,343,359,371,8,10,23,40,51,62,63,66,72,75,88,116,129,136,162,173,181,185,190,194,203,224,232,242,272,277,297,352,97,120,122,152,156,200,222,225,240,284,286,287,301,305,307,316,370] 3.1.4 Natural language processing Area Reference Natural language processing (NLP) [26,158,167,32,28,282,151,346,221,300,372,209,264,360,343,36,68,118,134,266,278,368,18,79,283,294,292,342,357] Natural language generation (NLG) [43] Word segmentation -Word sense disambiguation [169] Text processing -Text summarization [133,189,348,341] Text processing -Text mining (TM) [150,26,26,117,244,1,311,121,262,306,176,175,315,332,112,113,127,257,24,22,37,87,153,5,111,146,191,255,14,39,49,102,328] Text processing -Text classification [339,35] Sentiment analysis [182,27,17,151,299,6,93,113,280,4,137,188,209,232,13,30,40,64,94,160,215,260,238] Named entity recognition [143,172,144,295] IE [364] Information extraction -Relation extraction [37,111,146] Open information extraction? [139,142] 3.1.5 ...
... Studies focusing on security requirements reusability selected different features to be reused. These features include requirement statements, security patterns, security goals, countermeasures, threats, attacks, assets, organizations, and vulnerabilities [4]. The representation of the reusable features also differs. ...
... The categorization criteria for the requirement statements are based on application components/features which correspond to a mixture of assets, architectural properties, infrastructure elements, and application functionalities. In order to get more information related to studies that take security goals, countermeasures, threats, attacks, assets, organizations, and vulnerabilities as reusability items, please refer to Souag et al. [4]. ...
... One important common weakness is the lack of automated support for the majority of the earlier approaches. This issue was also highlighted in the survey study by Souag et al. [4]. Souag ...
Article
Full-text available
Forming high quality requirements has a direct impact on project success. Gathering security requirements could be challenging, since it demands a multidisciplinary approach and security expertise. Security requirements repository enables an effective alternative for addressing this challenge. The main objective of this paper is to present the design of a practical repository model for reusable security requirements, which is easy to use and understand for even non-security experts. The paper also portrays an approach and a software tool for using this model to determine subtle security requirements for improved coverage. Proposed repository consists of attributes determined by examining common security problems covered in state-of-the-art publications. A test repository was prepared using specification files and Common Criteria documents. The outcomes of applying the proposed model were compared with the sample requirement sets included in the state-of-the-art publications. The results reveal that in the absence of a security requirements repository, key security points can be missed. Repository improves the completeness of the security terms with reasonable effort.
... Souag et al. [27] proposed a comparison framework to provide a systematic mapping of the reusable concepts and patterns within the existing SRE methodologies. Accordingly, research contributions were classified into 5 categories: security patterns, taxonomies and ontologies, templates and profiles, catalogues and generic models and miscellaneous. ...
... From our study, we noted that the majority of the evaluation studies except [29] lack a full emphasis on the whole SRE process [35]. While some works [21,22,31] concentrate on evaluating the extent of support to security requirements elicitation at earlier stages; some others [27] focus on evaluating the extent of support to documentation in terms of reusable patterns or modelling initiatives.  Issue B: Evaluation criteria affirmation. ...
Article
Full-text available
An effective network security requirement engineering is needed to help organizations in capturing cost-effective security solutions that protect networks against malicious attacks while meeting the business requirements. The diversity of currently available security requirement engineering methodologies leads security requirements engineers to an open question: How to choose one? We present a global evaluation methodology that we applied during the IREHDO2 project to find a requirement engineering method that could improve network security. Our evaluation methodology includes a process to determine pertinent evaluation criteria and a process to evaluate the requirement engineering methodologies. Our main contribution is to involve stakeholders (i.e., security requirements engineers) in the evaluation process by following a requirement engineering approach. We describe our experiments conducted during the project with security experts and the feedback we obtained. Although we applied it to evaluate three requirements engineering methods (KAOS, STS and SEPP) in the context of network security, our evaluation methodology can be instantiated in other contexts and other methods.
... The first process is Pre Prioritization and Selection (Pre-PAS), which includes modeling and describing the requirements as well as preprocessing the data required for prioritizing those requirements. Pre-PAS process uses our previously developed modeling technique [16] to capture the partiality of the requirements and their corresponding goals [17][18][19] in a Software Requirement Model (SRM); each requirement contributes to the satisfaction of at least one goal. The SRM of a software project will be used to construct the Software Requirement List (SRL) of that project. ...
Article
Prioritization and selection of requirements are an essential component of software development. The process, however, often leads to ignoring some requirements due to the budget limitations, without considering the impact of those requirements on the values of the selected requirements. That may lead to user dissatisfaction and financial losses in software projects. To mitigate this problem, we propose a method that allows for partial satisfaction (selection) of software requirements rather than ignoring them, when tolerated. To demonstrate the effectiveness of the proposed method, we have carried out experiments; our initial results suggest that the method mitigates value loss by reducing the chances that requirements with positive influences are ignored.
... In the past, this concept was not held in high priority, as it was widely believed that a simple security network infrastructure would be enough to stave off attacks by malicious users, however, this has proven not to be enough particularly now when the use of insecure systems is frequent in critical systems and organizations, such as healthcare, transportation [14] and surveillance systems. Hence, it is crucial that given the overwhelming amount of attacks that are faced by high profile companies and governments, the security and technological implementations, physical and digital, should be highly secure in order to reduce the risks of data leakage and thievery [15]. This has formed the SDLC (Software Development Life Cycle) which is a set of development tactics that helps with planning to design secure software. ...
Preprint
Full-text available
Security holds an important role in a software. Most people are not aware of the significance of security in software system and tend to assume that they will be fine without security in their software systems. However, the lack of security features causes to expose all the vulnerabilities possible to the public. This provides opportunities for the attackers to perform dangerous activities to the vulnerable insecure systems. This is the reason why many organizations are reported for being victims of system security attacks. In order to achieve the security requirement, developers must take time to study so that they truly understand the consequences and importance of security. Hence, this paper is written to discuss how secure software development can be performed. To reach the goal of this paper, relevant researches have been reviewed. Multiple case study papers have been studied to find out the answers to how the vulnerabilities are identified, how to eliminate them, when to implement security features, why do we implement them. Finally, the paper is concluded with final remarks on implementation of security features during software development process. It is expected that this paper will be a contribution towards the aforementioned software security domain which is often ignored during practical application.
... Most of the studies have been claimed that requirement re-usability is a challenging job and practitioners face lots of challenges to reuse requirements in distributed and large-scale agile software development projects [11,14,28,61]. Different literature also stated that, software organizations face lots of problem if any changes occur in customer requirements or in technology. ...
Chapter
In global software development, requirements re-usability is a common practice which ultimately helps to maintain project quality and reduce both development time and cost. However, when a large-scale project is distributed, there are some critical factors needed to be maintained and managed for reusing requirements and it is considered a challenging job to interrelate the requirements between two identical projects. In this study, we have pointed out 48 challenges faced and 43 mitigation techniques used when implementing requirements re-usability in global software development projects among distributed teams. The challenges distributed teams frequently encounter can be divided into three considering issues as Communication, Coordination and Control of distributed teams in global software development. The results from this study can be used to plan development strategies while reusing requirements in distributed manners.
... The authors in Souag et al. (2016) presented a systematic mapping study and an analysis of existing security requirement engineering methods that employ the reuse of knowledge. The major objective of the works was to ensure that security requirements engineering methods rely on the reusability of knowledge. ...
Article
Full-text available
The lack of national security standardization bodies can have adverse impact on the adoption of international security standards and best practices. To assure security confidence among various organizations and to promote systematic adoption of standards and best standards, a practical framework that can support comparative measures is needed. . This paper presents GoSafe, a novel practical cybersecurity assessment framework that is tailored to the ISO 2700x standard requirements for the development of Information Security Management System (ISMS). GoSafe can be used for both self-assessment and auditing/scoring tool by national cybersecurity authorities. Using GoSafe, organizations can evaluate their existing information security management systems against local and international standards by utilizing built-in pre-audit tools. As such, GoSafe will help organizations evaluate and enhance their readiness for evolving risks and threats. In GoSafe framework, a novel mathematical model was also designed and implemented for the scoring/rating tool, namely, the national cyber security index (aeNCI). The aeNCI employs multiple parameters to determine the maturity of existing cybersecurity programs at national organizations and generate a classification and comparison reports. The efficacy of GoSafe proposed framework is demonstrated using a practical case study. The results enabled the stakeholder to verify the security configuration of their systems and identify potential attack/risk vectors.
... An extensive SLR in the specialized research area of modeldriven security was conducted by Nguyen et al. [39], where the authors also consider UML profiles (e.g., UMLSec, SecureUML, etc.) for the definition of security-oriented DSLs. In addition, Souag et al. [55] surveyed UML-based extensions for modeling security in the field of security requirements engineering. ...
Article
Full-text available
The OMG standard Systems Modeling Language (SysML) has been on the market for about thirteen years. This standard is an extended subset of UML providing a graphical modeling language for designing complex systems by considering software as well as hardware parts. Over the period of thirteen years, many publications have covered various aspects of SysML in different research fields. The aim of this paper is to conduct a systematic mapping study about SysML to identify the different categories of papers, (i) to get an overview of existing research topics and groups, (ii) to identify whether there are any publication trends, and (iii) to uncover possible missing links. We followed the guidelines for conducting a systematic mapping study by Petersen et al. (Inf Softw Technol 64:1–18, 2015) to analyze SysML publications from 2005 to 2017. Our analysis revealed the following main findings: (i) there is a growing scientific interest in SysML in the last years particularly in the research field of Software Engineering, (ii) SysML is mostly used in the design or validation phase, rather than in the implementation phase, (iii) the most commonly used diagram types are the SysML-specific requirement diagram, parametric diagram, and block diagram, together with the activity diagram and state machine diagram known from UML, (iv) SysML is a specific UML profile mostly used in systems engineering; however, the language has to be customized to accommodate domain-specific aspects, (v) related to collaborations for SysML research over the world, there are more individual research groups than large international networks. This study provides a solid basis for classifying existing approaches for SysML. Researchers can use our results (i) for identifying open research issues, (ii) for a better understanding of the state of the art, and (iii) as a reference for finding specific approaches about SysML.
... Moreover, while there are various RE techniques for all phases of the RE process, from requirements elicitation to requirements verification and validation [34], none of these techniques addresses RE for a KM solution, which differs from the typical RE for IT. In addition, there are studies that address the KM aspect in the sense of the reuse of IT requirements [35,36], however we found no research works addressing the RE for KM solutions. In the next subsections, we elaborate on the aforementioned approaches and their related methodologies. ...
Article
Full-text available
This paper proposes a unified knowledge management requirements engineering methodology (KM-REM) for tackling the complex nature of knowledge-intensive organizations. Despite the importance of KM for the success of knowledge-intensive organizations, the concept of RE for KM solutions is still vague lacking. Its definitions and guidelines for addressing the different facets of KM during the RE process are yet to be well-defined, encompassing social and technical aspects thereof. Applying the design science research paradigm by using a method engineering methodology, the KM-REM method was developed and implemented in a case study involving a global IT provider firm. This allowed for a comprehensive analysis and requirements specification for a KM solution, which was validated based on expert (managers) evaluation. KM-REM provides comprehensive, practical guidance and tools for KM analysts and RE professionals, for conducting KM-oriented RE, toward enhancing knowledge-intensive business processes with embedded KM solutions. Moreover, KM-REM facilitates tractability in the RE process, by focusing on manageable KM requirements. Thus, the contribution of KM-REM is threefold. First, it extends the research on RE for KM solutions as a specialized area within the RE discipline. Second, it cohesively organizes the RE dimensions and modeling principles for KM, providing customized guidelines and tools. Third, it demonstrates how the perspectives of traditional RE methods can be extended to include social and cultural aspects.